Detecting anomalous resources and events in social data

ABSTRACT

Systems, devices, media and methods are presented for detecting anomalous resources and events in social data. The systems and methods receive a plurality of events associated with a plurality of resources, wherein the plurality of events includes a plurality of features. The systems and methods detect a set of anomalous resources from the plurality of resources and identify a set of anomalous events associated with the set of anomalous resources. The systems and methods cause an interface to be displayed on a computing device, wherein the interface includes the set of anomalous resources and the set of anomalous events.

CLAIM OF PRIORITY

This application is a continuation of U.S. patent application Ser. No. 16/235,990, filed on Dec. 28, 2018, which is incorporated herein by reference in its entirety.

TECHNICAL FIELD

Embodiments of the present disclosure relate generally to social network security and privacy. More particularly, but not by way of limitation, the present disclosure addresses systems and methods for detecting abusive behavior on online social platforms.

BACKGROUND

The prevalence of abusive behavior on online social platforms has risen considerably in recent years. As social platforms become increasingly omnipresent communication and information sharing platforms, bad actors are incentivized to engage in abusive behaviors for profit on behalf of personal or corporate interests for gain. These behaviors can include account creation efforts, social spam by propagating content over a network, account hijacking efforts for purposes of humiliation or exploitation, and more. As a result, the broader research community has invested substantial resources on tackling a wide variety of mis-behavior problems spanning applications such combating e-mail phishing attacks, malware detection, network intrusion, livestreaming abuse, social and content spam, fake account registration, account compromise and many more.

BRIEF DESCRIPTION OF THE DRAWINGS

To easily identify the discussion of any particular element or act, the most significant digit or digits in a reference number refer to the figure number in which that element is first introduced.

In the drawings, which are not necessarily drawn to scale, like numerals may describe similar components in different views. Like numerals having different letter suffixes may represent different instances of similar components. Some embodiments are illustrated by way of example, and not limitation, in the figures of the accompanying drawings in which:

FIG. 1 is a block diagram showing an example malware detection system over a network.

FIG. 2 is a block diagram illustrating a anomalous resources and events detection system, according to an example embodiment.

FIG. 3 is a block diagram illustrating a anomalous resources and events detection system, according to an example embodiment.

FIG. 4 is a block diagram illustrating a anomalous resources and events detection system, according to an example embodiment.

FIG. 5 is a flow diagram illustrating an example method for finding anomalous resources and events in social data, according to some example embodiments.

FIG. 6 is a flow diagram illustrating an example method for detecting a set of anomalous resources (operation 504 in 5) in the method for finding anomalous resources and events in social data, according to some example embodiments.

FIG. 7 is a flow diagram illustrating an example method for identifying a set of anomalous events (operation 506 in FIG. 5) in the method for finding anomalous resources and events in social data, according to some example embodiments.

FIG. 8 is a diagrammatic illustration of an event cluster, according to an example embodiment.

FIG. 9 is a diagrammatic representation of a machine in the form of a computer system within which a set of instructions may be executed for causing the machine to perform any one or more of the methodologies discussed herein, in accordance with some example embodiments.

FIG. 10 is block diagram showing a software architecture within which the present disclosure may be implemented, in accordance with example embodiments.

DETAILED DESCRIPTION

The description that follows includes systems, methods, techniques, instruction sequences, and computing machine program products illustrative of embodiments of the disclosure. In the following description, for the purposes of explanation, numerous specific details are set forth in order to provide an understanding of various embodiments of the inventive subject matter. It will be evident, however, to those skilled in the art, that embodiments of the inventive subject matter may be practiced without these specific details. In general, well-known instruction instances, protocols, structures, and techniques are not necessarily shown in detail.

One aspect of the present disclosure describes a system for detecting anomalous resources and anomalous events. The system provides an unsupervised approach for a resource-based anomaly detection problem, where resources represent fixed constraints for bad actors. Resource constraints may be for example IP addresses or computer devices.

For example, given an event-log, where each event has at least one numerical, categorical or textual feature and is associated with a resource, the system detects the anomalous resources and identifies corresponding anomalous events. Large-scale online systems typically log events which relevant features, which are triggered by certain application actions such as button clicks, form actions, and application flows. Over time, these event-logs grow with increasing activity.

This event-log can be a multiset E of event tuples where each tuple ea E supp(F₁)×supp(F₂)× . . . supp(F_(d)), given descriptive event feature spaces F₁ . . . F_(d). We consider that the instances of event features, f₁ . . . f_(d) are categorical, numerical or textual. Moreover, each e_(i) is associated with a timestamp T(e_(i)) and a resource identifier R(e_(i))∈R. The system may consider any identifier type such as IP addresses, or client devices.

Second, given a set of anomalous resources, R_(A) and associated candidate set C={e∈ε|R(e)∈R_(A)}, identify the suspected culpable events ε_(A)∈C. Details of the anomalous resources and events detection system are provided below,

FIG. 1 is a block diagram illustrating a system 100, according to some example embodiments, configured to automatically detect an abusive entity (e.g., a user). The system 100 includes one or more client devices such as client device 110, The client device 110 comprises, but is not limited to, a mobile phone, desktop computer, laptop, portable digital assistants (PDA), smart phone, tablet, ultrabook, netbook, laptop, multi-processor system, microprocessor-based or programmable consumer electronic, game console, set-top box, computer in a vehicle, or any other communication device that a user may utilize to access the system 100. In some embodiments, the client device 110 comprises a display module (not shown) to display information (e.g., in the form of user interfaces). In further embodiments, the client device 110 comprises one or more of touch screens, accelerometers, gyroscopes, cameras, microphones, global positioning system (GPS) devices, and so forth. The client device 110 may be a device of a user that is used to access and utilize an online social platform. For example, the client device 110 may be used to input information to create an account, send spam by propagating content over a network 104, hijack an existing account for purposes of humiliation or exploitation, and so forth.

For example, client device 110 is a device of a given user who would like to create an account on an online social platform. Client device 110 accesses a website of an online social platform (e.g., hosted by server system 108). The user inputs login credentials associated with the user. Server system 108 receives the request and provides access to the online social platform.

As another example, client device 110 is a device of a given abusive user who would like to compromise an existing account for purposes of abusive behavior. Client device 110 accesses a website of the online social platform (e.g., hosted by server system 108). The abusive user repeatedly attempts to input login credentials for the existing account. Server system 108 receives the repeated abusive user inputs and automatically identifies the client device 110 of the abusive user as an anomalous resource. Server system 108 also identifies the login attempts by the abusive user as an anomalous event. Server system 108 blocks the abusive user from accessing the online social platform.

One or more users may be a person, a machine, or other means of interacting with the client device 110. In example embodiments, the user may not be part of the system 100 but may interact with the system 100 via the client device 110 or other means. For instance, the user may provide input (e.g., touch screen input or alphanumeric input) to the client device 110 and the input may be communicated to other entities in the system 100 (e.g., third-party servers 130, server system 108, etc.) via the network 104. In this instance, the other entities in the system 100, in response to receiving the input from the user, may communicate information to the client device 110 via the network 104 to be presented to the user. In this way, the user interacts with the various entities in the system 100 using the client device 110.

The system 100 further includes a network 104. One or more portions of network 104 may be an ad hoc network, an intranet, an extranet, a virtual private network (VPN), a local area network (LAN), a wireless LAN (WLAN), a wide area network (WAN), a wireless WAN (WWAN), a metropolitan area network (MAN), a portion of the Internet, a portion of the public switched telephone network (PSTN), a cellular telephone network, a wireless network, a WiFi network, a WiMax network, another type of network, or a combination of two or more such networks.

The client device 110 may access the various data and applications provided by other entities in the system 100 via web client 112 (e.g., a browser) or one or more client applications 114. The client device 110 may include one or more client application(s) 114 (also referred to as “apps”) such as, but not limited to, a web browser, messaging application, electronic mail (email) application, an e-commerce site application, a mapping or location application, an online home buying and selling application, a real estate application, and the like.

In some embodiments, one or more client application(s) 114 are included in a given one of the client device 110, and configured to locally provide the user interface and at least some of the functionalities, with the client application(s) 114 configured to communicate with other entities in the system 100 (e.g., third-party third party server(s) 128, server system 108, etc.), on an as-needed basis, for data processing capabilities not locally available (e.g., to access location information, to authenticate a user, etc.). Conversely, one or more client application(s) 114 may not be included in the client device 110, and then the client device 110 may use its web browser to access the one or more applications hosted on other entities in the system 100 (e.g., third-party third party server(s) 128, server system 108, etc.

A server system 108 provides server-side functionality via the network 104 (e.g., the Internet or wide area network (WAN)) to: one or more third party server(s) 128, and one or more client devices 110. The server system 108 includes an application program interface (API) server 120, a web server 122, and an anomalous resources and events detection system 124, that may be communicatively coupled with one or more database(s) 126. The one or more database(s) 126 may be storage devices that store data related to users of the server system 108, applications associated with the server system 108, cloud services, housing market data, and so forth. The one or more database(s) 126 may further store information related to third party server(s) 128, third-party third party application(s) 130, client device 110, client application(s) 114, users, and so forth. In one example, the one or more database(s) 126 may be cloud-based storage.

The server system 108 may be a cloud computing environment, according to some example embodiments. The server system 108, and any servers associated with the server system 108, may be associated with a cloud-based application, in one example embodiment.

The server system 108 includes an anomalous resources and events detection system 124. Anomalous resources and events detection system 124 may include one or more servers and may be associated with a cloud-based application. Anomalous resources and events detection system 124 may obtain user information associated with an online social platform from database(s) 126. The anomalous resources and events detection system 124 monitors social event-log data and identifies anomalous resources and events. The details of the anomalous resources and events detection system 124 are provided below in connection with FIG. 2.

The system 100 further includes one or more third party server(s) 128. The one or more third-party third party server(s) 128 may include one or more third party application(s) 130. The one or more third party application(s) 130, executing on third party server(s) 128 may interact with the server system 108 via API server 120 via a programmatic interface provided by the API server 120, For example, one or more the third-party applications 132 may request and utilize information from the server system 108 via the API server 120 to support one or more features or functions on a website hosted by the third party or an application hosted by the third party. The third party application(s) 130, for example, may provide software version analysis functionality that is supported by relevant functionality and data in the server system 108.

FIG. 2 is a block diagram illustrating an anomalous resources and events detection system 124. The anomalous resources and events detection system 124 includes the anomalous resource detector 202 and the culpable event identifier 204. As shown in FIG. 3, the anomalous resource detector 202 can include the summary statistics generator 302 and anomaly detector 304. Further, as shown in FIG. 4, the culpable event identifier 204 can include an event proximity generator 402 and an event cluster extractor 404.

Although the following flowcharts may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed. A process may correspond to a method, a procedure, etc. The steps of method may be performed in whole or in part, may be performed in conjunction with some or all of the steps in other methods, and may be performed by any number of different systems, such as the systems described in: FIG. 1, and FIG. 9.

FIG. 5 is a flow diagram illustrating an example method for finding anomalous resources and events in social data, according to some example embodiments.

In FIG. 5, the method 500 starts with the anomalous resources and events detection system 124 receiving an event-log E, composed of a stream of events e_(i)=(f(_(t,1)), f(_(i,2)) . . . f(_(i,d))) from resource R(e_(i)) at a time T(e_(i)) at operation 502. In some embodiments, the anomalous resource detector 202 receives the event-log E in operation 502. At operation 504, the anomalous resource detector 202 detects a set of anomalous resources R_(A) from the rest of the resources.

FIG. 6 is a flow diagram illustrating an example method for detecting a set of anomalous resources R_(A) (operation 504 in FIG. 5) in the method for finding anomalous resources and events in social data, according to some example embodiments. As shown in FIG. 6, to detect the anomalous resources R_(A), at operation 602, the anomalous resource detector 202 uses the summary statistics generator 302 to maintain multi-dimensional representations of the resources, in real-time. The multi-dimensional representations are resource-level summary statistics of the event-level features (e.g., categorical, textual, or numerical features) associated with each resource's events.

Specifically, each resource r_(i) is represented with an ensemble of resource-level statistics on event-level features f(_(i,1)) . . . f(_(i,d)) of the associated events {e_(i)|R(e_(i))=_(i)}, such that the resulting resource-level representation is a multi-dimensional representation. The event-level features may represent various aspects of social data including login status, username, etc. The summary statistics model 302 may extract any number of summary statistics from even a single event-level feature.

In general, the summary statistics generator 302 generates predefined summary statistics that are based on each of the event-level features (e.g., categorical, textual, or numerical features). In one example embodiment, the summary statistics model 302 selects only particular summary statistics in order to account for heavily skewed data (e.g. resources that generate a high number of events). For example, for numerical features, possible summary statistics include extrema (e.g. minimum, maximum), moments (e.g. mean, variance), and quantile statistics. For categorical features, possible summary statistics include inequality statistics (e.g. entropy, Gini score), distinct-value statistics (e.g. proportion of unique values), and frequency-based statistics (e.g. proportions of first and second most-frequent elements). Finally, for textual features, possible summary statistics include encoding patterns, text length, counts of unique strings over a set of strings.

The summary statistics generator 302 maintains and computes the multi-dimensional resource-level representations (e.g. summary statistics) for all of the resources associated with the events in the event-log. The summary statistics generator 302 uses reservoir sampling to compute numerical data (e.g. quantile statistics). For categorical data, the summary statistics generator 302 maintains hashmaps of unique elements and seen counts, while maintaining a separate counter for total seen elements. In one example embodiment, given a size-n sample from a feature with a categorical distribution P over j categories, the expected number of unique elements u can be computed by the following equation:

Σ_(i=1) ^(j)1−(1−p _(i))^(n)

wherein p_(i) denotes the probability mass on the i^(th) category of P.

Referring hack to FIG. 6, at operation 604, the anomalous resource detector 202 leverages the anomaly detector 304 to identify the anomalous resources. The anomaly detector 304 can be a trained unsupervised anomaly detection model that identifies the anomalous resources.

In one embodiment, the anomaly detector 304 evaluates the multi-dimensional resources representations using a pretrained windowed anomaly detection model. The anomaly detector 304 partitions the stream of events in the event-log into consecutive and non-overlapping time-windows, such that detection on a current window depends on a detector built from a prior window. Thus, at any given time, the anomaly detector 304 is concerned with two subsets of the event stream: the reference window and the current window. The anomaly detector 304 is thus trained on the reference window and utilized for the current window. Furthermore, the anomaly detector 304 sets a minimum event threshold and evaluates resources with a minimum number of events. Second, the anomaly detector 304 introduces stochasticity into the step such each resource is evaluated with an evaluation probability, thus avoiding frequent evaluations for high event-count resources and proportionally reducing runtime by inducing a stochastic delay in evaluation. In one example embodiment, given n events across m resources r₁ . . . r_(m), an event count |ε(r_(i))|˜P, an event count evaluation threshold r and a probability p_(eval), the expected ratio of evaluated events to total events can be represented by the following equation:

${{\mathbb{E}}\left\lbrack n_{eval} \right\rbrack} = {n^{- 1} \cdot m \cdot p_{eval} \cdot {\sum\limits_{k = \tau}^{K}\left\lbrack {p_{k} \cdot \left( {k - \tau + 1} \right)} \right\rbrack}}$

where K=max(supp(P)) and p_(k) is the fraction of k-event resources, such that |ε(r_(i))|=k.

Referring back to FIG. 5, at operation 506, the culpable event identifier 204 identifies a set of anomalous events associated with the set of anomalous resources previously detected at operation 504. The culpable event identifier 204 can incorporate learning of a between-event distance metric which obeys human intuitions regarding feature importance and produces coherent clusters of suspected events which are excessively similar.

FIG. 7 is a flow diagram illustrating an example method for identifying a set of anomalous events (operation 506 in FIG. 5) in the method for finding anomalous resources and events in social data, according to some example embodiments.

In order to identify the set of anomalous events, the culpable event identifier 204 first, at operation 702, uses the event proximity generator 402 to determine the distances between each of the events within the set of the anomalous resources. The first goal of the event proximity generator 402 is to devise a measure of distance between events, and next define a means of inferring feature weights. Devising a measure of distance between events involves quantifying distances given arbitrary event schemas including numerical, categorical or textual features. In one example embodiment, wherein two events have feature values a_(i), b_(i), quantifying distances across each feature type may be represented by the following:

${Numerical}{features}:\frac{❘{a_{i} - b_{i}}❘}{1 + {❘{a_{i} - b_{i}}❘}}$ Categoricalfeatures : a_(i) ≠ b_(i) ${{Textual}{features}:1} - \frac{❘{a_{i}\bigcap b_{i}}❘}{❘{a_{i}\bigcup b_{i}}❘}$

Inferring feature weights is essential in computing the event proximity because in the case of a login event, event features such as username or login status may be most important, while in the case of a registration event, the most important event features may depend on birthdate and email domain.

In one example embodiment, the event proximity generator 402 at operation 704, computes the event proximity by inferring feature weights. The feature weights are inferred by minimizing distance between input sets of similar events (S), and maximizing distance between input sets of dissimilar events (D) by the following:

${\min\limits_{W}{\sum\limits_{{({e_{i},e_{j}})} \in \mathcal{S}}{\Delta_{W}\left( {e_{i},e_{j}} \right)}^{2}}} - {\gamma{\log\left( {\sum\limits_{{({e_{i},e_{j}})} \in \mathcal{D}}{\Delta_{W}\left( {e_{i},e_{j}} \right)}} \right)}} + {\beta{W}_{F}}$ subjecttoW ≽ 0

The above formulation can be adjusted by tuning γ to increase weight of maximizing dissimilarity and tuning β to avoid over-reliance on single features. From the inferred metric Δw, the event proximity generator 402 can define the following similarity function:

σ_(w)=1−Δ_(w)

At operation 706, given the similarity function above, the event cluster extractor 404 included in the culpable event identifier 204 can produce clusters of suspected events that are similar. The event cluster extractor 404 can construct a cross-event similarity graph where an edge between events indicates their similarity. Upon constructing such a graph for each anomalous resource, the event cluster extractor 404 at operation 708, applies a subgraph-mining algorithm to extract coherent clusters in which each event in the cluster has a predefined similarity to at least one other event. The predefined similarity is an empirically tuned parameter which controls clustering aggressiveness.

FIG. 8 is a diagrammatic illustration representing an event cluster 800. Each cluster corresponds to the signature of a synchronized attack. For example, a resource (e.g. IP address) might have clusters (e.g. connected components E1 and E2) where each of the components denotes a different “attack” or type of abusive behavior.

Turning back to FIG. 5, at operation 504, the anomalous resources and events detection system 124 may cause an interface to be displayed on a computing device, wherein the interface includes the set of anomalous resources and events. In another example embodiment, the anomalous resources and events detection system 124 may target anomalous resources by activating rate-limits, issuing human verification challenges; or other problem specific challenges such as multi-factor authentication and validation for logins and registrations. In another example embodiment, the anomalous resources and events detection system 124 may target anomalous events by reversing event-triggered actions such as fraudulent account creation. 100521 FIG. 9 is a diagrammatic representation of the machine 900 within which instructions 908 (e.g., software, a program, an application, an applet, an app, or other executable code) for causing the machine 900 to perform any one or more of the methodologies discussed herein may be executed. For example; the instructions 908 may cause the machine 900 to execute any one or more of the methods described herein. The instructions 908 transform the general, non-programmed machine 900 into a particular machine 900 programmed to carry out the described and illustrated functions in the manner described. The machine 900 may operate as a standalone device or may be coupled (e.g., networked) to other machines. In a networked deployment, the machine 900 may operate in the capacity of a server machine or a client machine in a server-client network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine 900 may comprise, but not be limited to, a server computer, a client computer, a personal computer (PC), a tablet computer, a laptop computer, a netbook, a set-top box (STB), a PDA, an entertainment media system, a cellular telephone; a smart phone; a mobile device, a wearable device (e.g., a smart watch), a smart home device (e.g., a smart appliance), other smart devices; a web appliance, a network router, a network switch, a network bridge, or any machine capable of executing the instructions 908, sequentially or otherwise, that specify actions to be taken by the machine 900. Further, while only a single machine 900 is illustrated, the term “machine” shall also be taken to include a collection of machines that individually or jointly execute the instructions 908 to perform any one or more of the methodologies discussed herein.

The machine 900 may include processors 902, memory 904, and I/O components 942, which may be configured to communicate with each other via a bus 944. In an example embodiment, the processors 902 (e.g., a Central Processing Unit (CPU), a Reduced Instruction Set Computing (RISC) processor, a Complex Instruction Set Computing (CISC) processor, a Graphics Processing Unit (GPU), a Digital Signal Processor (DSP), an ASIC, a Radio-Frequency Integrated Circuit (RFIC), another processor, or any suitable combination thereof) may include, for example, a processor 906 and a processor 910 that execute the instructions 908. The term “processor” is intended to include multi-core processors that may comprise two or more independent processors (sometimes referred to as “cores”) that may execute instructions contemporaneously. Although FIG. 9 shows multiple processors 902, the machine 900 may include a single processor with a single core, a single processor with multiple cores (e.g., a multi-core processor), multiple processors with a single core, multiple processors with multiples cores, or any combination thereof.

The memory 904 includes a main memory 912, a static memory 914, and a storage unit 916, both accessible to the processors 902 via the bus 944. The main memory 904, the static memory 914, and storage unit 916 store the instructions 908 embodying any one or more of the methodologies or functions described herein. The instructions 908 may also reside, completely or partially, within the main memory 912, within the static memory 914, within machine-readable medium 918 (e.g., a non-transitory machine-readable storage medium) within the storage unit 916, within at least one of the processors 902 (e.g., within the processor's cache memory), or any suitable combination thereof, during execution thereof by the machine 900.

Furthermore, the machine-readable medium 918 is non-transitory (in other words, not having any transitory signals) in that it does not embody a propagating signal. However, labeling the machine-readable medium 918 “non-transitory” should not be construed to mean that the medium is incapable of movement; the medium should be considered as being transportable from one physical location to another. Additionally, since the machine-readable medium 918 is tangible, the medium may be a machine-readable device.

The I/O components 942 may include a wide variety of components to receive input, provide output, produce output, transmit information, exchange information, capture measurements, and so on. The specific I/O components 942 that are included in a particular machine will depend on the type of machine. For example, portable machines such as mobile phones may include a touch input device or other such input mechanisms, while a headless server machine will likely not include such a touch input device. It will be appreciated that the I/O components 942 may include many other components that are not shown in FIG. 9. In various example embodiments, the I/O components 942 may include output components 928 and input components 930. The output components 928 may include visual components (e.g., a display such as a plasma display panel (PDP), a light emitting diode (LED) display, a liquid crystal display (LCD), a projector, or a cathode ray tube (CRT)), acoustic components (e.g., speakers), haptic components (e.g., a vibratory motor, resistance mechanisms), other signal generators, and so forth. The input components 930 may include alphanumeric input components (e.g., a keyboard, a touch screen configured to receive alphanumeric input, a photo-optical keyboard, or other alphanumeric input components), point-based input components (e.g., a mouse; a touchpad, a trackball; a joystick, a motion sensor, or another pointing instrument), tactile input components (e.g., a physical button, a touch screen that provides location; force of touches or touch gestures, or other tactile input components), audio input components (e.g., a microphone), and the like.

In further example embodiments, the I/O components 942 may include biometric components 932, motion components 934, environmental components 936, or position components 938, among a wide array of other components. For example, the biometric components 932 include components to detect expressions (e.g., hand expressions, facial expressions, vocal expressions, body gestures, or eye tracking), measure biosignals (e.g., blood pressure, heart rate, body temperature; perspiration, or brain waves); identify a person (e.g., voice identification, retinal identification, facial identification, fingerprint identification, or electroencephalogram-based identification); and the like. The motion components 934 include acceleration sensor components (e.g., accelerometer), gravitation sensor components, rotation sensor components (e.g., gyroscope), and so forth. The environmental components 936 include, for example, illumination sensor components (e.g., photometer), temperature sensor components (e.g., one or more thermometers that detect ambient temperature), humidity sensor components, pressure sensor components (e.g.; barometer), acoustic sensor components (e.g., one or more microphones that detect background noise), proximity sensor components (e.g., infrared sensors that detect nearby objects), gas sensors (e.g.; gas detection sensors to detection concentrations of hazardous gases for safety or to measure pollutants in the atmosphere), or other components that may provide indications, measurements; or signals corresponding to a surrounding physical environment. The position components 938 include location sensor components (e.g., a GPS receiver component), altitude sensor components (e.g., altimeters or barometers that detect air pressure from which altitude may be derived), orientation sensor components (e.g., magnetometers), and the like.

Communication may be implemented using a wide variety of technologies. The I/O components 942 further include communication components 940 operable to couple the machine 900 to a network 920 or devices 922 via a coupling 924 and a coupling 926, respectively. For example, the communication components 940 may include a network interface component or another suitable device to interface with the network 920. In further examples, the communication components 940 may include wired communication components, wireless communication components, cellular communication components, Near Field Communication (NFC) components, Bluetooth® components (e.g., Bluetooth® Low Energy), Wi-Fi® components, and other communication components to provide communication via other modalities. The devices 922 may be another machine or any of a wide variety of peripheral devices (e.g., a peripheral device coupled via a USB).

Moreover, the communication components 940 may detect identifiers or include components operable to detect identifiers. For example, the communication components 940 may include Radio Frequency Identification (RFID) tag reader components, NFC smart tag detection components, optical reader components (e.g., an optical sensor to detect one-dimensional bar codes such as Universal Product Code (UPC) bar code, multi-dimensional bar codes such as Quick Response (QR) code, Aztec code, Data Matrix, Dataglyph, MaxiCode, PDF417, Ultra Code, UCC RSS-2D bar code, and other optical codes), or acoustic detection components (e.g., microphones to identify tagged audio signals). In addition, a variety of information may be derived via the communication components 940, such as location via Internet Protocol (IP) geolocation, location via Wi-Fi® signal triangulation, location via detecting an NFC beacon signal that may indicate a particular location, and so forth.

The various memories (e.g., memory 904, main memory 912, static memory 914, memory of the processors 902), storage unit 916 may store one or more sets of instructions and data structures (e.g., software) embodying or used by any one or more of the methodologies or functions described herein. These instructions (e.g., the instructions 908), when executed by processors 902, cause various operations to implement the disclosed embodiments.

The instructions 908 may be transmitted or received over the network 920, using a transmission medium, via a network interface device (e.g., a network interface component included in the communication components 940) and using any one of a number of well-known transfer protocols (e.g., hypertext transfer protocol (HTTP)). Similarly, the instructions 908 may be transmitted or received using a transmission medium via the coupling 926 (e.g., a peer-to-peer coupling) to the devices 922.

FIG. 10 is a block diagram 1000 illustrating a software architecture 1004, which can be installed on any one or more of the devices described herein. The software architecture 1004 is supported by hardware such as a machine 1002 that includes processors 1020, memory 1026, and I/O components 1038. In this example, the software architecture 1004 can be conceptualized as a stack of layers, where each layer provides a particular functionality. The software architecture 1004 includes layers such as an operating system 1012, libraries 1010, frameworks 1008, and applications 1006. Operationally, the applications 1006 invoke API calls 1050 through the software stack and receive messages 1052 in response to the API calls 1050.

The operating system 1012 manages hardware resources and provides common services. The operating system 1012 includes, for example, a kernel 1014, services 1016, and drivers 1022. The kernel 1014 acts as an abstraction layer between the hardware and the other software layers. For example, the kernel 1014 provides memory management, processor management (e.g., scheduling), component management, networking, and security settings, among other functionality. The services 1016 can provide other common services for the other software layers. The drivers 1022 are responsible for controlling or interfacing with the underlying hardware. For instance, the drivers 1022 can include display drivers, camera drivers, BLUETOOTH® or BLUETOOTH® Low Energy drivers, flash memory drivers, serial communication drivers (e.g., Universal Serial Bus (USB) drivers), WI-FI® drivers, audio drivers, power management drivers, and so forth.

The libraries 1010 provide a low-level common infrastructure used by the applications 1006. The libraries 1010 can include system libraries 1018 (e.g., C standard library) that provide functions such as memory allocation functions, string manipulation functions, mathematic functions, and the like. In addition, the libraries 1010 can include API libraries 1024 such as media libraries (e.g., libraries to support presentation and manipulation of various media formats such as Moving Picture Experts Group-4 (MPEG4), Advanced Video Coding (H.264 or AVC), Moving Picture Experts Group Layer-3 (MP3), Advanced Audio Coding (AAC), Adaptive Multi-Rate (AMR) audio codec, Joint Photographic Experts Group (JPEG or JPG), or Portable Network Graphics (PNG)), graphics libraries (e.g., an OpenGL framework used to render in two dimensions (2D) and three dimensions (3D) in a graphic content on a display), database libraries (e.g., SQLite to provide various relational database functions), web libraries (e.g., WebKit to provide web browsing functionality), and the like. The libraries 1010 can also include a wide variety of other libraries 1028 to provide many other APIs to the applications 1006.

The frameworks 1008 provide a high-level common infrastructure that is used by the applications 1006. For example, the frameworks 1008 provide various graphical user interface (GUI) functions, high-level resource management, and high-level location services. The frameworks 1008 can provide a broad spectrum of other APIs that can be used by the applications 1006, some of which may be specific to a particular operating system or platform.

in an example embodiment, the applications 1006 may include a home application 1036, a contacts application 1030, a browser application 1032, a book reader application 1034, a location application 1042, a media application 1044, a messaging application 1046, a game application 1048, and a broad assortment of other applications such as a third-party application 1040. The e applications 1006 are programs that execute functions defined in the programs. Various programming languages can be employed to create one or more of the applications 1006, structured in a variety of manners, such as object-oriented programming languages (e.g., Objective-C, Java, or C++) or procedural programming languages (e.g., C or assembly language). In a specific example, the third-party application 1040 (e.g., an application developed using the ANDROID™ or IOS™ software development kit (SDK) by an entity other than the vendor of the particular platform) may be mobile software running on a mobile operating system such as IOS™, ANDROID™, WINDOWS® Phone, or another mobile operating system. In this example, the third-party application 1040 can invoke the API calls 1050 provided by the operating system 1012 to facilitate functionality described herein. 

1. A method comprising: receiving, by a processor, a plurality of events associated with a plurality of resources; generating, in real-time, statistical representations of an associated event of each resource of the plurality of resources based on events of the plurality of events associated with each resource; generating a reference window comprising a first portion of the plurality of events and a current window comprising a second portion of the plurality of events; training an anomaly detector on the reference window; identifying a set of anomalous resources by analyzing the current window using the trained anomaly detector; identifying a set of anomalous events associated with the set of anomalous resources; and causing display, on a computing device, of an interface comprising the set of anomalous resources and the set of anomalous events.
 2. The method of claim 1, wherein the plurality of events comprises at least one of a login attempt, a button click, a form action, or an application flow.
 3. The method of claim 1, wherein the statistical representations are based on event-level features comprising at least one of a categorical feature, a textual feature, or a numerical feature.
 4. The method of claim 1, wherein the trained anomaly detector identifies the set of anomalous resources based on a minimum event threshold.
 5. The method of claim 1, wherein the statistical representations are resource-level representations based on summaries of a plurality of features associated with the plurality of events corresponding to the plurality of resources.
 6. The method of claim 1, wherein the plurality of events are received as a stream of events.
 7. The method of claim 1, further comprising: causing a server system to limit the number of events received by the set of anomalous resources.
 8. The method of claim 1, wherein identifying the set of anomalous events comprises: determining a plurality of distances between each of the plurality of events of the anomalous set of resources; computing an event proximity based on the plurality of distances; producing clusters of suspected events that are similar based on the event proximity; and extracting the clusters of suspected events, wherein each of the suspected events is an anomalous event.
 9. The method of claim 8, wherein computing the event proximity based on the plurality of distances comprises: determining a weight for each of the plurality of distances; and producing clusters of suspected events that are similar based on the weight.
 10. A system comprising: a memory that stores instructions; and a processor configured by the instructions to perform operations comprising: receiving a plurality of events associated with a plurality of resources; generating, in real-time, statistical representations of an associated event of each resource of the plurality of resources based on events of the plurality of events associated with each resource; generating a reference window comprising a first portion of the plurality of events and a current window comprising a second portion of the plurality of events; training an anomaly detector on the reference window; identifying a set of anomalous resources by analyzing the current window using the trained anomaly detector; identifying a set of anomalous events associated with the set of anomalous resources; and causing display, on a computing device, of an interface comprising the set of anomalous resources and the set of anomalous events.
 11. The system of claim 1, wherein the plurality of events comprises at least one of a login attempt, a button click, a form action, or an application flow.
 12. The system of claim 10, wherein the statistical representations are based on event-level features comprising at least one of a categorical feature, a textual feature, or a numerical feature.
 13. The system of claim 10, wherein the trained anomaly detector identifies the set of anomalous resources based on a minimum event threshold.
 14. The system of claim 10, wherein the statistical representations are resource-level representations based on summaries of a plurality of features associated with the plurality of events corresponding to the plurality of resources.
 15. The system of claim 10, wherein the plurality of events are received as a stream of events.
 16. The system of claim 10, the operations further comprising: causing a server system to limit the number of events received by the set of anomalous resources.
 17. The system of claim 10, wherein identifying the set of anomalous events comprises: determining a plurality of distances between each of the plurality of events of the anomalous set of resources; computing an event proximity based on the plurality of distances; producing clusters of suspected events that are similar based on the event proximity; and extracting the clusters of suspected events, wherein each of the suspected events is an anomalous event.
 18. The system of claim 17, wherein computing the event proximity based on the plurality of distances comprises: determining a weight for each of the plurality of distances; and producing clusters of suspected events that are similar based on the weight.
 19. A non-transitory processor-readable storage medium storing processor-executable instructions that, when executed by a processor of a machine, cause the machine to perform operations comprising: receiving a plurality of events associated with a plurality of resources; generating, in real-time, statistical representations of an associated event of each resource of the plurality of resources based on events of the plurality of events associated with each resource; generating a reference window comprising a first portion of the plurality of events and a current window comprising a second portion of the plurality of events; training an anomaly detector on the reference window; identifying a set of anomalous resources by analyzing the current window using the trained anomaly detector; identifying a set of anomalous events associated with the set of anomalous resources; and causing display, on a computing device, of an interface comprising the set of anomalous resources and the set of anomalous events.
 20. The non-transitory processor-readable storage medium of claim 10, wherein identifying the set of anomalous events comprises: determining a plurality of distances between each of the plurality of events of the anomalous set of resources; computing an event proximity based on the plurality of distances; producing clusters of suspected events that are similar based on the event proximity; and extracting the clusters of suspected events, wherein each of the suspected events is an anomalous event. 